On May 5 2010, Phase 1 of the DNSSEC (Domain Name System Security Extensions) protocol will be pushed out to the 13 root servers that control domain name lookups worldwide. For some businesses and end users, internet access may come to an abrupt halt shortly afterward. "Oh noes, teh intarweb is broken!" Yes, parts of the web may indeed stop working temporarily, but as Douglas Adams would say, "Dont Panic."
DNSSEC incorprates a digital signature in the response information from Domain Name Servers in order to provide internet users with a higher level of security- it's a form of assurance that the domain name was translated to the right Internet endpoint (think websites and email servers).
DNSSEC was developed specifically to help defeat 'man in the middle' attacks, in which hackers intercept and interfere with DNS routing, responding with a spoofed message that sends the user to a false (and usually malicious) location. The false location would typically mimic a bank, an online store, email system, or other destination, and would exist to steal login credentials and credit card, payment, or banking information.
Make no mistake, DNSSEC is a good thing. It makes it harder for hackers, spammers, and phishers to conduct their "business".
The only downside to this is that a fair number of ISPs, businesses, merchant providers, and other private networks are still using older hardware and software that probably isn't ready for DNSSEC. The problem stems from the increase in the packet size that the DNSSEC protocol requires. The current response packet to a standard DNS request is normally contained in a single packet of 512 bytes or less. The DNSSEC authentication packets with the new security tokens signatures are about 4 times that size- 2K or more.
The majority of legacy networking equipment sees this packet as abnormally large, and responds with an error message. In some cases the "excessively large" packets will be detected as a hacking attempt. This may in turn trigger a security rule, potentially refusing and/or blocking all further communication from the source for some period of time.
If the internet suddenly stops working for you on or about May 5th, contact your ISP or internal network admins. Chances are they already know about this issue, but whether or not they've done anything to prepare for the change is whole 'nother matter.
It's beyond the scope of this blog to detail all of the steps involved in testing for DNSSEC compatibility, but a good way to tell if your firewall/router is blocking these larger DNS packets, is to use the test listed at DNS-OARC, the Domain Name System Operations Analysis and Research Center.